Wednesday, May 09, 2007

Liability of reverse engineering

Christopher Hoff asks an admittedly naïve question: "If I ... engage in reverse engineering of a product that is covered by patent/IP protection and/or EULA's that expressly forbids reverse engineering, how would I deflect liability for violating these tenets ...".

There are actually few issues with reverse-engineering itself. Reverse-engineering is LEGAL, PROTECTED BY LAW, and ETHICAL. Many of the issues people think are due to reverse-engineering are actually due to other problems.

Hoff mentions the recent HID case, where the company sued a researcher on patent grounds to prevent him from disclosing their problems. The details of the case had nothing to do with reverse engineering. In order to demonstrate cracking of HID's keys, the researcher had to build a device. That device MAY have been covered by HID's patents. Therefore, HID claims were about patent infringement; they had nothing to do with reverse-engineering.

In the Mike Lynn case, Cisco claimed that Mike did something more than simple reverse-engineering. For example, Cisco suspected the Mike was going to disclose the source-code that was rumored to be stolen a couple years ago. Therefore, it wasn't reverse-engineering itself that was at the crux of the suit.

There have been other famous cases of reverse engineering, from printer cartridges to video game compatibility. In virtually every instance, the right to reverse engineer products has been protected.

The reason reverse-engineering has a bad odor is because breaks down in two places: EULAs and the DMCA. EULAs are tricky because you agree NOT to reverse-engineer their product. If you reverse-engineer the product, you are breaking a contract. The DMCA forbids reverse-engineering where the effect of the reverse-engineering is to break copyright. It specifically says that you can still reverse-engineer iTunes and the Zune in order to interoperate with it or to find security vulnerabilities, but you may not reverse it in order to bypass the copyright protections.

An illustrative example is the ruling in the Blizzard vs. Bnetd. Bnetd was an open-source server for playing games like Diablo and Starcraft. Bnetd was found guilty of two things. The first was that they were found guilty of breaking the contract with Blizzard. They had purchased the games and agreed that they would not reverse-engineer Blizzard's products, but reversed them anyway. Second, they were found guilty of breaking the law under DMCA. While they were within their rights to create "interoperable" software, the effect was to enable bypassing of copyright. Blizzard servers checked license keys, Bnetd servers did not, so Bnetd enabled software piracy.

Therefore, if you want to do reverse-engineering, you can (probably) ignore the law on reverse-engineering, but you have to pay attention to the EULA and the DMCA.

Bypassing the EULA is usually pretty easy. For example, bought Cisco routers off of eBay. I am reverse-engineering the code I found on those routers. I am not agreeing to Cisco's EULA; I have never agreed to the Cisco EULA. Bypassing the DMCA is even easier: if you aren't helping copyright pirates, then you probably aren't breaking the DMCA law.

Recently, Dave and I posted information about Airtight. This was forbidden by their EULA. However, we did not agree to their EULA, so therefore we did not break their contract. We sat down outside of somebody else's installation and sent wifi packets at them, and monitored the packets sent back from them. We could therefore review their product because we did not actually use it. (BTW, you should wary of company with EULA's like Airtights because nobody can publicly challenge their claims).

Hoff asks "Do you ... simply count on the understanding that if one can show "purity" of non-malicious motivation that nothing bad will occur?". Again, this question is false. There are no "pure" motivations. It's like how guilty criminals in jail believe that they are innocent because their motivations were somehow pure. Publishing advisories to pimp your cleverness is not a "pure" motivation. Mike Lynn's motivation in the Cisco case was not "pure" (How much really has the Internet been made safer by his actions? How much fame and higher wages has he earned??)

Your own justifications are not a legal defense. Remember that justice is blind. It cares about law as written, not whether you are a good person at heart, or what your justification is. The legal system is like computer code, it is largely automatic and inescapable. I often read just justifications on Slashdot and am amused by how they just wouldn't work in the real world.

The real question is whether you can count upon whether it is in a company's best interest. Microsoft, for example, does not sue people like eEye who maliciously reverse their code because it's not in their best interest. Microsoft has had plenty of justification to sue me (even in areas outside of security), but has not because it's not in their best interest. On the other hand, there is a good chance that companies will not recognize their best interests, such as Cisco in the Mike Lynn case.

Note that sometimes companies are forced to act even when it is against their best interests. Microsoft, for example, must sue teenage kids to protect their trademark even though it generates bad publicity. Likewise, ISS was forced to sue Mike Lynn in the Cisco case. However, HID was not required to sue to protect patents. When and why such things are automatically triggered is a bit tricky.

Lastly, the biggest point to take away from this is that people can sue you even when they are wrong and you are right. In the HID case, they were almost certainly wrong, but it would take a lot of money and time by the researchers to prove this to the court. Likewise, websites hosting the recently cracked AACS key comply to takedown notices even though the law may be on their side. It can easily take 100k to defend yourself in court. Companies don't want to spend that much to prosecute you either, and will likely back down if you stand up for yourself, but they are betting that you will blink first.

6 comments:

You missed part of the copyright issue, Robert. When talking about software, the process of reverse engineering requires some number of intermediate copies of the target be made (a disassembly). Copyright holders can argue that these intermediate copies are not authorized, and therefore constitute infringement.

The ensuing question is whether this is covered by fair use doctrine (in the US). The Supreme Court held in Sega v Accolade that Accolade's reverse engineering (for compatibility purposes) *was* fair use, but the decision is not necessarily broad enough to cover all RE. In this case the intent of the copying is relevant, so if you are reverse engineering software with the intent to do something that would cause harm to the software vendor, it would be a much harder case. You'd run a real risk of an infringement suit in that case.

My point was to pin the debate on what has been successfully argued in existing cases. Trying to imagine creative ways around the law will get you into trouble. Imaging ways your adversary might sue you will make you too afraid to do anything, which is worse.

I have always questioned the legality of writing generic reverse engineering tools as well. Is it legal? Even if the tool CANT make changes to the binary/code? Its a tricky question that I've gotten multiple conflicting answers for from various experts.

I have always questioned the legality of writing generic reverse engineering tools as well. Is it legal? I've gotten multiple conflicting answers for from various experts.

As I said in the post, reverse-engineering is legal, therefore writing tools for a legal activity is also legal. You wouldn't get conflicting answers from experts, although they might not have understood the question.

One reason they might not understand is if you are writing reverse-engineering tools in order to bypass the DMCA. The answer an expert should give is "it hasn't been tested in court, so we don't know".

Jennifer Granick acknowledges that IOActive may be guilty of patent "inducement" (see http://www.wired.com/politics/law/commentary/circuitcourt/2007/02/72819.

At http://www.generalpatent.com/different-types-patent-infringement-0, Alexander Poltorak of General Patent Corporation explains"Indirect infringement takes two forms: contributory infringement or inducement to infringe. Patent law states that "whoever actively induces infringement of a patent shall be liable as an infringer" (35 U.S.C. § 271(b)). In other words, a company does not have to infringe a patent directly in order to be sued for patent infringement."

"Induced infringement is that which enables the direct infringer to practice the patented intention. This type of infringement can take the form of helping the direct infringer to assemble the patented product; providing instructions that detail how to produce the patented invention; preparing instructions for consumer use; or licensing plans or a process which enable the licensee to produce the patented product or process. The test for induced infringement is whether the inducer has demonstrated active aiding and abetting of the direct infringer's infringing activities."

Based on this, it actually seems likely that IOActive would have been guilty of patent inducment had they gone ahead released schematics and source code.IOActive backed off after consulting their expensive attorneys for a reason. So they decided to take the "safe" route and not release the source code and schematics. By posting HID's letter, IOActive managed to make it look like another case of a big company stiffling a security researcher which is why this became big news. As pointed out by other people, this wasn't the first time that a Prox card was cloned.